![BOGDAN.png](https://static.wixstatic.com/media/d3af5e_7f17f7e3e37f4ac7a84bef1e35d04322~mv2.png/v1/crop/x_0,y_0,w_298,h_310/fill/w_231,h_241,al_c,q_85,usm_0.66_1.00_0.01,enc_avif,quality_auto/BOGDAN.png)
BOGDAN BARCHUK
SSDE: SECURE WEB DEVELOPMENT
1 DAY WORKSHOP
Hour 1-2: Introduction to Secure Software Development and Web
Vulnerabilities
● Topic 1: Overview of Web Vulnerabilities
○ Introduction to common web vulnerabilities (e.g., XSS, SQL Injection,
CSRF)
○ OWASP Top 10 web vulnerabilities and their impact
○ Best practices for preventing web vulnerabilities (input validation, secure
session management, etc.)
● Topic 2: Secure Source Code Review
○ Understanding what to look for in a secure code review
○ Identifying common coding mistakes in web applications (e.g., insecure
deserialization, improper error handling)
○ Tools and methodologies for manual code review
● Practical Case 1:
○ Activity: Perform a secure code review of a small web application,
focusing on identifying common vulnerabilities like XSS and SQL
Injection.
Hour 3-4: API Security and SDLC process.
● Topic 1: Secure API Development
○ Key considerations for building secure APIs (authentication, authorization,
data validation)
○ Protecting APIs from attacks like Injection, Broken Authentication, and
Sensitive Data Exposure
○ Best practices for securing RESTful and GraphQL APIs
● Topic 2: API Testing
○ How to test APIs for security vulnerabilities
○ Manual and automated testing tools for API security (e.g., Postman,
OWASP ZAP, Burp Suite)
○ Automating API security testing with CI/CD pipelines
● Practical Case 2:
○ Activity: Conduct security testing on a simple API, focusing on finding
vulnerabilities such as lack of proper authentication, excessive data
exposure, and injection flaws.
Hour 3-5: Automated Scanners and Secure Development Workflow
● Topic 1: Introduction to Automated Scanners
○ Overview of tools like OWASP ZAP, Burp Suite, Nuclei, and Snyk for
scanning web applications and APIs
○ How to integrate security scanners into the development process (shift-left
security)
○ Limitations and benefits of automated scanners
● Topic 2: Continuous Security in Development
○ Implementing security checks in CI/CD pipelines
○ Automated vulnerability scanning in source code repositories
○ Best practices for maintaining secure software development lifecycle
(SSDLC)
● Practical Case 3:
○ Activity: Use an automated scanner (e.g., OWASP ZAP) to test a web
application for common vulnerabilities. Discuss the results and how to
remediate any findings.
Hour 6: Wrap-up & Conclusion
● Key takeaways: importance of secure development, proactive testing, and
automation
● Additional resources for further learning
● Q&A session
Minimum Course Requirements:
-
TBD!
Target Audience:
EVERYONE!
Trainer Biography:
Bogdan Barchuk is a veteran in the cybersecurity industry, with over 20 years of
hands-on experience in penetration testing and offensive security. He is a prolific author of
multiple books, courses, and publications, recognized for his deep technical knowledge and
practical expertise.
A major contributor to the open-source community, Bogdan has developed several
tools and frameworks that are widely used by security professionals.
Throughout his career, he has worked inside multiple Fortune 500 companies,cyber
police and military organizations, providing critical insights and solutions in cybersecurity. His
courses reflect his extensive experience and commitment to advancing the field, making him
a trusted authority in the industry.